Properly Securing OpenStack Cloud Core Focus at Summit

The OpenStack Summit devoted many sessions to securing the open-source cloud platform. Some experts said the cloud offers an opportunity to do good security work.

ATLANTA—At multiple sessions at the OpenStack Summit here, developers and security researchers provided insight and details on properly securing an OpenStack cloud deployment.
Security is one of the most often cited barriers to cloud adoption, but experts speaking at the summit don't see it as an obstacle.
Enterprises really should look at cloud security from the opposite viewpoint, said Bryan Payne, director of security research at Nebula. "Cloud is an interesting opportunity to do really good security work," Payne said. "The cloud has orchestration tools that allow you to roll out consistent configuration and update your software consistently, as well."
In a cloud deployment, there is also known hardware and software, and by having a known base, it is easier for enterprises to take the right steps to secure the cloud infrastructure, Payne said. "When rolling out infrastructure for cloud, enterprises have control of what is in place and that's a security dream," he said.

A typical security function is to look at a system to see what is different from what is expected. As such, the more an organization knows about its systems, the more it can detect any divergence.

"So if you have an orchestration system and you know what your hardware and software is, then you've got a good platform for security," Payne said. To ensure OpenStack cloud platform security, Payne advocates making sure that there is a separation of concerns such that there is a different logical network for outside the cloud versus the internal cloud network.
Payne also recommends the use of Transport Layer Security (TLS) to be configured for all OpenStack deployments. TLS provides encryption for data in motion across a network.
In a cloud deployment, beyond just the actual infrastructure that provides compute, there are also guests that run on top of the cloud in virtual machines (VMs).
One of the potential cloud security risks outlined by Payne is known as a VM breakout. "What a VM breakout means is I can run code in an instance that will exploit something in the virtualization layer that will then let me run code on the host operating system itself," Payne said.
In a VM breakout situation, an attacker could potentially get access to other VMs running in a cloud. Payne emphasized that there are steps organizations can take to limit the risk of VM breakouts. Among those steps is the proper use of SELinux, or Security Enhanced Linux, which provides mandatory access control rules for processes and applications on a system.
"Getting the cloud up and running is step one," Payne said. "Securing the cloud is step two, and it is often harder than step one."
Keystone Identity Service
One primary control point for security in an OpenStack cloud is the Keystone identity service.
Organizations should take steps to secure Keystone, Keith Newstadt, cloud services architect at Symantec, explained during a session at the summit.
As an identity provider, Keystone is likely to be a target for brute-force attacks, he explained, in which criminals attempt to force their way into a system by using automated username and password lists in an attempt to gain access.
One way to protect Keystone against brute-force attacks is to introduce rate-limiting for user log-ins, Newstadt said. With rate limiting, only a certain number of user log-in requests can come into the system in a given time period.
Organizations also need to be able to blacklist malicious IP addresses as well as detect and block anomalous patterns and user behaviors, he said.
"Keystone is the gatekeeper for OpenStack," Newstadt said. "Credentials are the keys to the kingdom, so protect them."
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.